Groups - WebTMA 5

Path: Admin > User Management > Groups

The Groups windows are used to set preferences, privileges, and access for categories of Users that you consider a unit within WebTMA. The Tabs on this window are similar to the User Management window.

Creating Groups to grant access by group category, saves time, helps you maintain good data, and prevents errors when you create individual user records. Most features described for Groups windows are the same as those for the User windows.

The Identity Tab includes a Security Group grid. If you use LDAP or SSO authentication, use links on the grid (in Add or Edit mode) to associate the Group with the correct LDAP domain or SSO group.

Make settings on the Window Access Tab and Data Access Tab one time for a Group, and the settings apply to any Users assigned to that Group.

Most features described for User Window Access Tab on page 48 and Data Access Tab on page 50 are available for Groups. These settings take precedence over all other User records. Group level Deny values for Window Access, Data Access, and Privileges override any access granted by other Groups or User records.

The Managed Resources Tab is visible if your organization uses Pending Charges Dispute (available to Enterprise users of the Advanced Accounting module). A similar Tab is available for individual users from the User Management / Records window. The Groups version has only one access column, Allowed Access, to determine whether access is granted or denied at the Group level.

After you establish a Group, users can be assigned from the Groups window or from Admin > User Management > Records / Groups window.

NOTE: Settings on the Groups / Preferences Tab apply only to users.

Groups Rules

Assigning group membership to users can speed the process of creating user records and assigning permissions. The group rules are as follows:

  • A person can belong to one or more groups.
  • A group can be established with permissions for specific Privileges, Preferences, Menus, Windows, and Data.
  • A group cannot contain another group.
  • All group permissions and restrictions are inherited by each group For example, if the group has rights to a facility, then all group members have rights to that facility. If the group is part of a repair center, then group members also belong to that repair center.
  • A False or Denied setting takes precedence when more than one group is assigned to a user. If permission is granted in one Group and the user is assigned to a second Group that denies the Privilege or Preference, the user is not given permission. Use False or Denied only if the users in a Group should not have access to a particular function.

The following table assumes the user has no Data Access set from the user record. It illustrates how the False/Deny principle works:

 

Group 1 Settings

Group 2 Settings

Permission to User

Window A

Not Determined

Granted

Granted

Window B

Granted

Denied

Denied

Window C

Denied

Not Determined

Denied

To distinguish between general options and more restrictive options, WebTMA uses Preferences Tab settings (general options) and Privileges Tab settings (more restrictive). If a preference value does not exist on the user’s record, it is loaded from the first user Group (alphabetically) with a value for that preference.

Groups Identity Tab

Path: Admin > User Management > Groups / Identity Tab

The window is divided into three sections:

  • Group Name — in the two fields at the top of the page.
  • List of users assigned to the group — TMA Users Groups Note that the list of users that can be added is filtered by data access of the person creating the Group record. Other than users with an Administrator Role, all other users that create a Group record are filtered by their Role and Repair Center settings in User Management, i.e., they cannot view, add, or remove any users they cannot access from the User Management window.
  • List of users who log in using LDAP or SSO — Security Group

You can define as many groups as needed for your organization.

Users of all types can be assigned to a Group from the Groups / Identity Tab or from the individual User window. The User record includes a separate Groups Tab.

For those that use LDAP authentication, designating a Security Group may be useful if your organization wants users who do not have a WebTMA user record to be able to log in to the application. If their domain Group Name is listed on the Group record, the following actions occur:

  • the user can log in
  • a user record is added to WebTMA for the person who logged in
  • the new user is assigned to the Group to which his domain group is assigned and inherits that Group's limits

Related is the check box found in Admin > LDAP Server Setup. The Auto-Create TMA User from LDAP User check box allows WebTMA to create a user record for anyone who logs in with LDAP authentication. The first time WebTMA automatically creates a record for a domain user who is not a TMA user, settings on the Preferences Tab may apply. See Groups Preferences Tab below for an explanation.

The Add SSO Group link on this window relates to SSO roles and applies to a WebTMA SAML interface. See How to Add SSO to Groups below for details.

How to Add a Group Record

Path: Admin > User Management > Groups / Identity Tab

  1. Click Add on the WebTMA toolbar.
  2. Type a group Name.
  3. Type a Description of the group.
  4. Click the Repair Center Tab and add at least one Repair Center. Note: This applies to all except the few users with an Administrator Role. Administrators can create a Group without a Repair Center
  5. Click Add User link in the TMA Users Groups grid on the Identity
  6. Select the users assigned to the Group.
  7. Click Save on the WebTMA toolbar.

NOTE: After a group record has been created, you must assign access. This is done using the other Tabs on the Groups window. Until these rights are assigned, users assigned to the group cannot open any windows in WebTMA.

Use the information in Window Access on page 48 and Data Access on page 50 for a description and instructions on how to add access. If you use LDAP login authentication, see the next topic, How to Set LDAP Security Groups.

How to Set LDAP Security Groups

Path: Admin > User Management > Groups / Identity Tab

The LDAP names shown in the lower Security Group grid of the Groups window are the categories established by your network administrator for your organization's network. WebTMA administrators can select the particular domain to display the list; however, they cannot add or modify the list.

Locate the Groups record to which you want to add an LDAP Security Group.

  1. Click Edit on the WebTMA toolbar.
  2. Click the Add LDAP Group link at the top of the Security Group grid.
  3. Select the Domain on the LDAP Entry popup window.
  4. (Optional) Select an Organizational Unit and/or Group Name to filter the results.
  5. Click the Search
  6. Click the check box adjacent to the desired group name or names.
  7. Click the Add Selected button to close the popup.
  8. Click Save on the WebTMA toolbar.

How to Add SSO to Groups

  1. Click Edit on the WebTMA toolbar.
  2. Click the Add SSO Group link at the top of the Security Group grid to open the SSO Entry popup window.
  3. Type the SSO Group name in the free-form Group
  4. Click the Save button on the popup window.
  5. Click Save on the WebTMA toolbar.

Groups Preferences Tab

Settings on the Preferences Tab propagate to user records assigned to the group. When the LDAP Server Setup window has the Auto-Create TMA User from LDAP User check box marked, preference settings are added during creation of the new User record; however, restrictive rules apply.

When the check box is marked on the LDAP Server Setup window, Groups / Preferences are assigned to the new user. These preferences are taken from the settings marked on the Group record.

For example, if the LDAP Security Group applies to WebTMA Group 1, Group 2, and Group 3, a preference marked as True for one or more of the applicable groups is assigned to the new User record. If none of the applicable groups have a given preference selected as True or False, that preference remains blank on the new User record.

Selection and text fields such as Time Zone and Date Format are populated only if the assigned values for all the applicable WebTMA groups are identical. If any of the groups has a different value or no value, the preference is left blank and can be assigned from the new user record. Go to Admin > User Management > Records / Preferences Tab to review or change settings.

Groups Privileges Tab

The selections available on the Groups / Privileges Tab are the same as the Admin > User Management > Records / Privileges Tab described on page 45. The Privileges Tab is used for more restrictive actions.

In addition, the Groups / Privileges window includes three Subtabs to differentiate among the types of users in the Group: User, Technician, and Requestor. The User Subtab has the most comprehensive list of settings compared to the Technician or Requestor Subtabs.

Groups Repair Center Tab

Path: Admin > User Management > Groups / Repair Center Tab

The Repair Center Tab on the Groups window is used to restrict access to User records by others. It does not confer Repair Center access on the Group itself; therefore, the repair centers listed on the Groups / Repair Center Tab are not inherited by the User records of any Users assigned to the Group.

Users that have a Role of Admin are the only kind of Users that have access to all Group records regardless of the repair center access associated with the Admin.

Normal Users cannot access a Group record from the Groups window unless they also have access to a repair center listed on the User Management > Groups / Repair Center Tab. Technicians, Requestors, and Contractors are assigned repair center access from their corresponding windows. Technician windows are found at Organization > Repair Center > Technician. Requestor windows are found at Admin > User Management > Requestors. Contractor windows are found at Material > Vendors.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

2024 Client Training Schedule
See the full list of web training events.